cors/authentication headers

117 views
Skip to first unread message

hunter morgan

unread,
Jan 18, 2017, 12:07:28 PM1/18/17
to Swagger, hunter...@capitalone.com, richard....@capitalone.com
this copies something from IRC. just want to make sure it didn't get lost.

hey a teammate and i were unable yesterday to get a locally running swagger-editor to supply authentication to an api we were trying to test. i tried adding config from http://enable-cors.org/server_nginx.html, specifically the contents of one of the second two if blocks, because nginx complained at the inclusion of ifs. must have something to do with the structure. maybe because it's reverse proxying back to a node restify api? I also tried http://enable-cors.org/server_expressjs.html on the node api, but still no love. the nginx and api are live, in another castle, so i suspect it's cors tripping us up. 
the import proxy setting, is that just for spec import, not for proxying try it out requests? i tried starting a local cors-it and using that in that config section as well, but it didn't seem to change anything. 

Ron Ratovsky

unread,
Jan 18, 2017, 3:05:31 PM1/18/17
to swagger-sw...@googlegroups.com, hunter...@capitalone.com, richard....@capitalone.com

Hi Hunter,

 

Replied to you on IRC.

It’s unclear what the actual problem is. You’re describing the solution you tried, but not what you experienced and what you’re trying to solve.

So, what’s the original issue?

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ron Ratovsky

unread,
Jan 18, 2017, 4:56:27 PM1/18/17
to Morrisey, Richard, swagger-sw...@googlegroups.com, Morgan, Hunter

Hi Rich,

 

Thanks for the extra details.

We could definitely use better error handling (and we’re working on that, I promise).

It does indeed sound like a CORS issue, but let’s verify that’s the issue first.

 

Can you open your browser’s web console, switch to the network tab, and then execute the call?

Following what you see there, we can (hopefully) proceed.

 

 

 

From: "Morrisey, Richard" <Richard....@capitalone.com>
Date: Wednesday, 18 January 2017 at 12:53
To: Ron Ratovsky <Ron.Ra...@smartbear.com>, "swagger-sw...@googlegroups.com" <swagger-sw...@googlegroups.com>
Cc: "Morgan, Hunter" <Hunter...@capitalone.com>
Subject: Re: cors/authentication headers

 

Ron,

 

I originally had this issue. I installed swagger-editor 20.10.4 on osx 10.11.6 (my laptop), from github using the online  documentation.

I have a request that requires basic authentication.

 

My security section looks like:

 

securityDefinitions:

  userSecurity:

    type: basic

    description: HTTP Basic Authentication. Works over `HTTP` and `HTTPS`

 

My path looks like:

/v2/data/clusters:

    get:

      security:

       - userSecurity: []

      description: |

        Returns a list of provisioned clusters

      responses:

        200:

          description: Cluster JSON

I enter my credentials in the rendered control panel and get a green checkmark. I click ‘Try this Operation’ on the indicated path, then ‘send request’. Then I see ‘ERROR Server not found or an error occurred’. (‘or an error occurred’ seems to wipe out the specificity of ‘Server not found’). I’m pretty sure the server is being resolved in an earlier path/request that does not need basic auth, there is no problem getting to the server. However, I do note that there is no ‘Authorization:’ header in the request for this path even though I am specifying security.

 

We also have a warning about CORS. This may be a red-herring.

 

Thanks for any help.

Rich

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Ron Ratovsky

unread,
Jan 19, 2017, 3:19:16 PM1/19/17
to Morrisey, Richard, swagger-sw...@googlegroups.com, Morgan, Hunter

Hi Rich,

 

So yeah, that is an indicator of a CORS issue, but it could be something slightly else.

You’re getting 401 Unauthorized on OPTIONS – and you shouldn’t OPTIONS calls should never require authorization.

That could be a hint as to what to look into.

 

 

 

From: "Morrisey, Richard" <Richard....@capitalone.com>
Date: Thursday, 19 January 2017 at 7:46
To: Ron Ratovsky <Ron.Ra...@smartbear.com>, "swagger-sw...@googlegroups.com" <swagger-sw...@googlegroups.com>
Cc: "Morgan, Hunter" <Hunter...@capitalone.com>
Subject: Re: cors/authentication headers

 

Sorry Ron, I am working on old fashioned email time rather than IM L See the screen capture below. I don’t believe I am exposing any sensitive info.

 

 

See screenshot

 

I already had that open.

Ron Ratovsky

unread,
Jan 19, 2017, 4:06:26 PM1/19/17
to Morgan, Hunter, Morrisey, Richard, swagger-sw...@googlegroups.com
No worries about asking questions, that’s why we’re here.

There’s no fixed answer to what config is needed for OPTIONS and CORS as that depends on your API.
You need to enable access to the different HTTP verbs and any headers you’re going to use with your API.

For example, in our petstore, running:
curl -I http://petstore.swagger.io/v2/swagger.json

Results in:

HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 21:05:25 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, DELETE, PUT
Access-Control-Allow-Headers: Content-Type, api_key, Authorization
Content-Type: application/json
Content-Length: 0
Connection: close
Server: Jetty(9.2.9.v20150224)

You’ll notice the `api_key` header on the list because the pet store sample uses a header with that name.

On 19/01/2017, 12:22, "Morgan, Hunter" <Hunter...@capitalone.com> wrote:

I’m sorry if I’m about to ask things that I just need to research, but with respect to the swagger ui, what is the required participation/capability/access config of options requests, and what is the context for those requests being made?
---
Hunter Morgan
Data Platform Engineering
540 391 0440
Hunter...@capitalone.com

> On Jan 19, 2017, at 3:19 PM, Ron Ratovsky <r...@swagger.io> wrote:
>
> Hi Rich,
>
> So yeah, that is an indicator of a CORS issue, but it could be something slightly else.
> You’re getting 401 Unauthorized on OPTIONS – and you shouldn’t OPTIONS calls should never require authorization.
> That could be a hint as to what to look into.
>
>
>
> From: "Morrisey, Richard" <Richard....@capitalone.com>
> Date: Thursday, 19 January 2017 at 7:46
> To: Ron Ratovsky <Ron.Ra...@smartbear.com>, "swagger-sw...@googlegroups.com" <swagger-sw...@googlegroups.com>
> Cc: "Morgan, Hunter" <Hunter...@capitalone.com>
> Subject: Re: cors/authentication headers
>
> Sorry Ron, I am working on old fashioned email time rather than IM L See the screen capture below. I don’t believe I am exposing any sensitive info.
>
>
> See screenshot<image001.png>
> The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
>
> The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
> <image001.png>

________________________________________________________

frazierj...@yahoo.com

unread,
Jan 19, 2017, 8:28:25 PM1/19/17
to swagger-sw...@googlegroups.com

--------------------------------------------
On Thu, 1/19/17, Ron Ratovsky <r...@swagger.io> wrote:

Subject: Re: cors/authentication headers
To: "Morgan, Hunter" <Hunter...@capitalone.com>
Cc: "Morrisey, Richard" <Richard....@capitalone.com>, "swagger-sw...@googlegroups.com" <swagger-sw...@googlegroups.com>
Date: Thursday, January 19, 2017, 11:06 PM
https://groups.google.com/d/optout.embrii justitiei mstruiau Ideea fixa preconceputa cu care pornisera toti la cercetare era ca ne aflam in fata unei revolutii organizate Trebuia sa se afle organizatia
Reply all
Reply to author
Forward
0 new messages